TikTok’s in-app browser contains code that allows the Chinese social network to view users’ keystrokes and thus potentially capture sensitive information such as credit card details and passwords.
Rather than opening a page with a web browser like Chrome or Safari, social networks have their own in-app browsers which can each be modified by the owner of these apps (i.e. Facebook, Twitter, TikTok etc) to contain their own code and allow them to gain access to certain information.
In the case of TikTok, software researcher Felix Krause found that, when opening any link on the platform’s iOS app, (which is opened inside their in-app browser) TikTok subscribes to all keyboard inputs including passwords, credit card information and any other sensitive information, as well as every tap on the screen, like which buttons and links you click.
“This was an active choice the company made,” said Krause. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”
According to company data, TikTok has 1.39 billion users, of whom one billion are monthly active users. According to Sensor Tower, TikTok was the second most downloaded app in the U.S. in November with 4 million downloads.
What is an in-app browser?
When clicking on a link from an app, rather than the URL opening up in a separate web browser, it will open from the applications own browser.
This generally makes for a smoother user experience, yet in-app browsers come with increased security risks as the host can make alterations to the code and bypass necessary privacy defences.